Enterprise Vault, Compliance Accelerator and Discovery Accelerator temporary folder security checks

Enterprise Vault, Compliance Accelerator and Discovery Accelerator temporary folder security checks

Article: 100014060
Last Published: 2015-05-15
Ratings: 4 2
Product(s): Enterprise Vault

Problem

Enterprise Vault, Compliance Accelerator or Discovery Accelerator services fail to start and write an error with ID 4283 to the event log, which says that the TEMP folder security check has failed.

The Compliance Accelerator or Discovery Accelerator client repeatedly displays a message, which says that the TEMP folder security check has failed.

Error Message

Log Name: Symantec Enterprise VaultSource: Enterprise Vault Date: 13/03/2015 09:25:01Event ID: 4283Task Category: Admin ServiceLevel: ErrorKeywords: ClassicUser: N/AComputer: ev1.example.comDescription:Enterprise Vault Admin Service will be stopped due to failure of the temporary folder security check: temporary folder C:\Users\VAULTA~1\AppData\Local\Temp\ does not satisfy security requirements. See http://www.symantec.com/docs/TECH224726 for more information.

Cause

Enterprise Vault 11.0.1, Compliance Accelerator 11.0.1 and Discovery Accelerator 11.0.1 introduce checks to prevent unauthorized access to the temporary files they create.

Temporary files are placed in the folder that is configured as the TEMP folder for the Vault Service Account or other account under which a Compliance Accelerator or Discovery Accelerator service runs. This is typically defined by the %TMP%, %TEMP% or %USERPROFILE% environment variables for the relevant account. Note that, if none of these environment variables exist, the default temporary folder, such as C:\Windows\TEMP, could be used.

In some Active Directory implementations each user’s TEMP folder can be a subfolder of the usual TEMP folder, such as .\1 or .\2.

To protect against unauthorized access to the TEMP folder, which can contain sensitive data, Enterprise Vault, Compliance Accelerator and Discovery Accelerator services check access to the TEMP folder on startup, and periodically thereafter.

The relevant services check the TEMP folder’s discretionary access control list (DACL). If there is no DACL, the check fails. If the DACL is present, the services check the SID in each access control entry (ACE) and the test fails if access to the TEMP folder is granted to a SID that is not authorized by any of the following conditions:

  • It is a member of Local Administrators.
  • It is a member of Backup Operators.
  • It is a member of Domain Administrators.
  • It is the System account.
  • It is a member of System Operators.
  • It has been added to the TempFolderException registry value, which lists additional authorized accounts. For more information, see the follow sections.
  • It is Creator Owner of the folder, if the current owner is authorized by one of the conditions above.
  • It is the logged-on User Account, under which relevant service runs.

If you move the TEMP folder from the default location, additional unexpected accounts might have access due to inheritance in the new location. In this case, you should remove the additional accounts from the folder’s DACL, or add them to the TempFolderException registry value descibed below, if their access is appropriate.

Solution

Impact on Enterprise Vault

As a result of these security checks, the installation of Enterprise Vault is blocked if unauthorized access to the TEMP folder is detected. Enterprise Vault Deployment Scanner has been updated to determine if this issue exists, so we recommend that you run the Deployment Scanner before installation or upgrade to Enterprise Vault 11.0.1.

The Enterprise Vault Getting Started Wizard fails if unauthorized access is detected when it starts the Enterprise Vault Admin service. To avoid this, install Enterprise Vault using the Vault Service Account.

Starting the Enterprise Vault Admin Service prior to running the Enterprise Vault Configuration application on a fresh installation will fail. Previously following error was reported in this scenario.

“The Vault service Enterprise Vault Admin Service is configured to run under the Local System account. It should be configured to run under the Vault Service Account.”

Following installation or upgrade, the Enterprise Vault Admin service does not start if unauthorized access is detected during start up.

The Enterprise Vault Admin service stops if unauthorized is detected during an Enterprise Vault operation.

Security check exceptions for Enterprise Vault

Additional accounts can be allowed by the TEMP folder security checks, by adding them to the following registry key on each Enterprise Vault server:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS
Name: TempFolderExceptions
Type: String
Value: A semi-colon separated list of the allowed accounts.

Example: builtin\User1;domain\auditors group;domain\user_account

Note: The Builtin\Users machine-local group appears as domain\users in the Access Control List for the folder but must be added to the registry value as Builtin\Users and not as domain\Users

You can also disable TEMP folder security checks by creating the following registry value:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS
Name: SkipTempFolderCheck
Type: DWORD32
Value: 0 (checks enabled), 1 (checks disabled)

 

Impact on Compliance Accelerator and Discovery Accelerator servers

Compliance Accelerator server and Discovery Accelerator server and client can be installed if a security issue exists. However, the Accelerator Manager Service does not start if a security issue is detected during start up, and the Accelerator Manager Service stops if a security issue is detected during an operation.

The Compliance Accelerator and Discovery Accelerator clients will start if a security issue exists, however a pop-up box is displayed every minute highlighting the issue and interrupting use of the client until the issue is resolved.

Security check exceptions for Compliance Accelerator and Discovery Accelerator servers

Additional accounts can be approved for access by adding them to the following registry key on the Accelerator server:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS
Name: TempFolderExceptions
Type: String
Value: a list of the accounts to grant access to, separated by semi-colons

Example: builtin\User1;domain\auditors group;domain\user_account

You can also disable the TEMP folder security checks by adding the following registry key on the Compliance Accelerator or Discovery Accelerator server:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS
Name: SkipTempFolderCheck
Type: DWORD32
Value: 0 (checks enabled), 1 (checks disabled)

Security check exceptions for the Compliance Accelerator and Discovery Accelerator clients

Additional accounts can be approved for access by adding them to the following registry key on the client machine:

Location: HKEY_CURRENT_USER\SOFTWARE\KVS
Name: TempFolderExceptions
Type: String
Value: a list of the accounts to grant access to, separated by semi-colons

Example: builtin\User1;domain\auditors group;domain\user_account

Note: The Builtin\Users machine-local group appears as domain\users in the Access Control List for the folder but needs to be added to the registry key as Builtin\Users and not as domain\Users.

You can also disable the TEMP folder security checks by adding the following registry key on the Accelerator client:

Location: HKEY_CURRENT_USER\SOFTWARE\KVS
Name: SkipTempFolderCheck
Type: DWORD32
Value: 0 (checks enabled), 1 (checks disabled)

 

 

Was this content helpful?